Call API key after knitting to HTML instead of embedding key

SymbolixAU / googleway

R Package for accessing and plotting Google Maps

http://symbolixau.github.io/googleway/

Other

234 stars 46 forks source link

Call API key after knitting to HTML instead of embedding key #236

Open jacciz opened 3 years ago

jacciz commented 3 years ago

This is more of a feature request particularly for non self-contained HTMLs. The API key gets embedded inside the HTML document after knitting and would like the option to call the key from a separate file. I do plan on hosting the HTML reports on a public website. My solution for now was to save the js file that the API calls into 'api.js' file and then change the HTML code to call this file. Below is the script.

library(xml2)

files = list.files(pattern = ".html")

replace_api_key <- function(html_filename) {
  h2 = read_html(html_filename)

  # Find api key
  g_api <- xml_find_first(h2, "//script[contains(@src, 'maps.googleapis.com')]")
  xml_attrs(g_api)<- c(src = 'lib/api.js')

  write_html(h2, html_filename,
             options = c("as_html"))
}

dcooley commented 3 years ago

Could you expand a little on what this request is please; I don't quite understand what you're asking.

Is your replace_api_key() function a proposed function for googleway? And how will the api key get called after the html has been knitted?

jacciz commented 3 years ago

I'm creating a series of HTML reports that will be publicly available. I do not want the key to be embedded inside these HTMLs. Rather I want to call the key inside the HTML. It's my understanding this is more secure?

I'm saving this js file that gets retrieved via your code below to a dependency folder (lib). This file I called api.js.

header <- paste0('<script src="https://maps.googleapis.com/maps/api/js?key=',
                key, '&libraries=', paste0(libraries, collapse = ","), '"></script>',
                '<script type="text/javascript" src="https://www.gstatic.com/charts/loader.js"></script>')

Then I'm changing the script src to call api.js.

<script src=";ib/api.js"></script>

I hope this makes sense. Or maybe there's a better way?

dcooley commented 3 years ago

One solution I often use: If you're hosting the reports on your own server you can 'white list' that server in the API console, so that your key only works on that server.

In your proposed solution, is the key still visible in the source of the html file, or is it completely hidden?

jacciz commented 3 years ago

I'm no web developer but I think the DOM still needs to read the js files. So it's not in the HTML, per se, but you do have to dig deeper to find it. Not sure if possible to encrypt it. But since I have 70+ reports, they are all reading this one file rather than each one having the key embedded. This makes it easier if I were to change/restrict the key. I'll look into this 'white list', it may be a better solution. Thanks!